Following last week’s article about the potential risk of Ebola and the need for managers to have a contingency plan in place, we will look once again into the management of risks. In order to be able to reduce risk and to know what to do if things begin to go wrong it is important to carry out a risk analysis and draw up response plans. We will describe the concept of risk analysis and discuss how being aware of risks can help to develop a risk response plan or plan “B”.
Risk is sometimes calculated as the product of the chance that something bad may happen and the volume of loss this may cause. The higher the chance that something may happen and the bigger the effect this will have, the higher will be the risk. The level of risk may be reduced again by dividing the product by the capacity of an organization or community to deal with events. The equation looks as follows:
Risk = Chance x Effect
For example, the chance of Ebola to enter into a country may be substantial and the effect it may cause is potentially disastrous. The risk is high. However, the capacity of a nation to effectively deal with it right from the start will reduce the risk of the virus spreading further and the risk may be contained. Risks may be classified into the following categories:
- Strategic risks
- Operational risks
- Reputation risks
Strategic risks may be defined as risks to the organization’s objectives arising from adverse business decisions or improper implementation of those decisions. Key elements of strategic risks are the business’s strategies to achieve the objectives, the resources deployed to achieve the objectives, the quality of the implementation and security issues. For example, a company may decide to expand its operations and set up operations in a politically unstable country. We have seen many investors moving into South Sudan the moment it became an independent nation. While it seemed an excellent strategic opportunity at the time, later on it proved to be very high risk indeed.
Operational risks are the risks of direct or indirect loss resulting from inadequate or failed internal processes, people & systems or from external events. Key elements are the administrative organization of the business, financial management, accountability & compliance, internal control and again security issues. A company may for example decide to substantially increase its production output and sets up a new production line which requires different skills of the workers and consistent supply of electricity. The chance of things going wrong here exists and the company may not reach its production targets, resulting in initial losses.
Reputation risk is the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the social base, costly litigation or revenue reductions. Key elements of reputation risks are communication with all categories of stakeholders, strong and consistent enforcement of compliance, ensuring ethical practice and code of conduct. For example, a company may decide to open a factory in an upcoming economy country and the media report that the company does not apply environmentally friendly technology or exploits its workers by offering poor conditions of service.
Now, the essence of risk management or risk reduction is to be aware and act in time. How? By structured brainstorming (What if?), making a so called SWOT analysis (SWOT = Strengths, Weaknesses, Opportunities, Threats) and finally drawing up a risk management plan.
An effective risk management plan will basically consist of three components: A qualitative risk analysis, a detailed risk description and the risk response. Next week, we will see how this can be done in more detail.